Decoder starts with initialization error and error in RSA Security Analytics

Issue

When starting the Decoder, it keeps coming up with "initialization error" and investigation the /var/log/messages we found the following error:

 "The length of the value (21149) exceeds the maximum allowed length (8192) for 0202 "

Cause

The above error is related to a specific existing Application rule in the Decoder. Examining the file /etc/netwitness/ng/NwDecoder.cfg , we found the following line which refers to the actual App Rule:

 <config getRoles="rules.manage" instance="config" maxLength="8192" name="0202" prettyName="0202" setRoles="rules.manage" 
 
value="name=&quot;Win32.Locky Ransomware Malware Download Attempt Detected&quot; rule=&quot;ip.dst ='37.97.130.210','81.218.71.214',
 
'190.9.32.8','217.196.64.12','5.101.152.66','158.255.6.223','162.252.175.208','185.117.88.112','185.15.208.200','185.15.208.215',
 
'185.8.60.34','185.8.62.74','188.127.231.102','188.138.71.62','

As seen from above, the Rule is much larger than "8192" , which is pre-defined by "MaxLength=8192" , and when the Decoder is started, it throws the error :

"The length of the value (21149) exceeds the maximum allowed length (8192) for 0202"

Therefore, The decoder cannot be properly started due to the above limitation.

Resolution

1- Stop the decoder service:
stop nwdecoder

2- Modify the file /etc/netwitness/ng/NwDecoder.cfg

3- find the parameter "name=0202"

4- Once above parameter is found, check its "MaxLength=8192" and change it to a value greater than "21149", example "24000" so it can accommodate more room for the lengthy App Rule.

5- Save the file

6- Start the decoder service:
Start nwdecoder

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: All Nodes
NetWitness Version/Condition: 12.x
Platform: CentOS/Alma

Approval Reviewer Queue

Technical approval queue